roles/openshift_hosted_metrics/tasks/install.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

---

- name: Test if metrics-deployer service account exists
  command: >
    {{ openshift.common.client_binary }}
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace=openshift-infra
    get serviceaccount metrics-deployer -o json
  register: serviceaccount
  changed_when: false
  failed_when: false

- name: Create metrics-deployer Service Account
  shell: >
    echo {{ metrics_deployer_sa | to_json | quote }} |
    {{ openshift.common.client_binary }}
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    create -f -
  when: serviceaccount.rc == 1

- name: Test edit permissions
  command: >
    {{ openshift.common.client_binary }}
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    get rolebindings -o jsonpath='{.items[?(@.metadata.name == "edit")].userNames}'
  register: edit_rolebindings
  changed_when: false

- name: Add edit permission to the openshift-infra project to metrics-deployer SA
  command: >
    {{ openshift.common.client_binary }} adm
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    policy add-role-to-user edit
    system:serviceaccount:openshift-infra:metrics-deployer
  when: "'system:serviceaccount:openshift-infra:metrics-deployer' not in edit_rolebindings.stdout"

- name: Test hawkular view permissions
  command: >
    {{ openshift.common.client_binary }}
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    get rolebindings -o jsonpath='{.items[?(@.metadata.name == "view")].userNames}'
  register: view_rolebindings
  changed_when: false

- name: Add view permissions to hawkular SA
  command: >
      {{ openshift.common.client_binary }} adm
      --config={{ openshift_hosted_metrics_kubeconfig }}
      --namespace openshift-infra
      policy add-role-to-user view
      system:serviceaccount:openshift-infra:hawkular
  when: "'system:serviceaccount:openshift-infra:hawkular' not in view_rolebindings"

- name: Test cluster-reader permissions
  command: >
    {{ openshift.common.client_binary }}
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    get clusterrolebindings -o jsonpath='{.items[?(@.metadata.name == "cluster-reader")].userNames}'
  register: cluster_reader_clusterrolebindings
  changed_when: false

- name: Add cluster-reader permission to the openshift-infra project to heapster SA
  command: >
    {{ openshift.common.client_binary }} adm
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    policy add-cluster-role-to-user cluster-reader
    system:serviceaccount:openshift-infra:heapster
  when: "'system:serviceaccount:openshift-infra:heapster' not in cluster_reader_clusterrolebindings.stdout"

- name: Create metrics-deployer secret
  command: >
    {{ openshift.common.client_binary }}
    --config={{ openshift_hosted_metrics_kubeconfig }}
    --namespace openshift-infra
    secrets new metrics-deployer nothing=/dev/null
  register: metrics_deployer_secret
  changed_when: metrics_deployer_secret.rc == 0
  failed_when: metrics_deployer_secret.rc == 1 and 'already exists' not in metrics_deployer_secret.stderr

# TODO: extend this to allow user passed in certs or generating cert with
# OpenShift CA
- name: Build metrics deployer command
  set_fact:
    deployer_cmd: "{{ openshift.common.client_binary }} process -f \
      {{ hosted_base }}/metrics-deployer.yaml -v \
      HAWKULAR_METRICS_HOSTNAME={{ g_metrics_hostname }} \
      -v USE_PERSISTENT_STORAGE={{metrics_persistence | string | lower }} \
      -v DYNAMICALLY_PROVISION_STORAGE={{metrics_dynamic_vol | string | lower }} \
      -v METRIC_DURATION={{ openshift.hosted.metrics.duration }} \
      -v METRIC_RESOLUTION={{ openshift.hosted.metrics.resolution }}
      {{ image_prefix }} \
      {{ image_version }} \
      -v MODE={{ deployment_mode }} \
        | {{ openshift.common.client_binary }} --namespace openshift-infra \
        --config={{ openshift_hosted_metrics_kubeconfig }} \
        create -o name -f -"

- name: Deploy Metrics
  shell: "{{ deployer_cmd }}"
  register: deploy_metrics
  failed_when: "'already exists' not in deploy_metrics.stderr and deploy_metrics.rc != 0"
  changed_when: deploy_metrics.rc == 0

- set_fact:
    deployer_pod: "{{ deploy_metrics.stdout[1:2] }}"

# TODO: re-enable this once the metrics deployer validation issue is fixed
# when using dynamically provisioned volumes
- name: "Wait for image pull and deployer pod"
  shell: >
    {{ openshift.common.client_binary }}
    --namespace openshift-infra
    --config={{ openshift_hosted_metrics_kubeconfig }}
    get {{ deploy_metrics.stdout }}
  register: deploy_result
  until: "{{ 'Completed' in deploy_result.stdout }}"
  failed_when: False
  retries: 60
  delay: 10

- name: Configure master for metrics
  modify_yaml:
    dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
    yaml_key: assetConfig.metricsPublicURL
    yaml_value: "{{ openshift_hosted_metrics_deploy_url }}"
  notify: restart master